[Neurodebian-upstream] False positives for lintian hardening tags

Sebastian Eichelbaum eichelbaum at informatik.uni-leipzig.de
Wed Jan 23 11:12:48 UTC 2013 

Hi again

I missed to mention that I also used hardening-check:

libsuperquadricGlyphs.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: no, not found!
 Fortify Source functions: no, only unprotected functions found!
 Read-only relocations: yes
 Immediate binding: no, not found!

Using hardening-check on the main OpenWalnut lib:

libopenwalnut.so:
 Position Independent Executable: no, regular shared library (ignored)
 Stack protected: yes
 Fortify Source functions: yes (some protected functions found)
 Read-only relocations: yes
 Immediate binding: no, not found!

-> so lintian does not complain about the libopenwalnut.so but the plugin lib libsuperquadricGlyphs.so

Bye
Sebastian

On Wed, 23 Jan 2013, Sebastian Eichelbaum wrote:

> Hi Everyone
> 
> I currently maintain the debian package of OpenWalnut. We provide a package containing several plugins for the software in the form of several separate libraries in /usr/lib/openwalnut. Unfortunately, Lintian complains about missing hardening options and warns with these tags
> 
> * hardening-no-fortify-functions
> * hardening-no-stackprotector
> 
> I have checked whether our build system (cmake) is using the proper flags from dpkg-buildflags which outputs all the needed fortify/hardening options required by the debian wiki (http://wiki.debian.org/Hardening).
> 
> ... and yes it is using the correct flags:
> 
> Compilation:
> /usr/bin/c++ -DsuperquadricGlyphs_EXPORTS -D_FORTIFY_SOURCE=2 -DBOOST_FILESYSTEM_VERSION=3 -DEIGEN_DONT_VECTORIZE -DEIGEN_DONT_ALIGN -DEIGEN_DISABLE_UNALIGNED_ARRAY_ASSERT -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -frtti -pedantic -std=c++98 -Wall -Wno-long-long -Wextra  -O3 -fPIC -I/build/owpack-deb-sid-amd64/OpenWalnut-1.3.0+hg5830/src -I/build/owpack-deb-sid-amd64/OpenWalnut-1.3.0+hg5830/build/versionHeader -I/usr/include/eigen3    -o CMakeFiles/superquadricGlyphs.dir/superquadricGlyphs/WMSuperquadricGlyphs.cpp.o -c /build/owpack-deb-sid-amd64/OpenWalnut-1.3.0+hg5830/src/modules/superquadriGlyphs/WMSuperquadricGlyphs.cpp
> 
> Linking:
> /usr/bin/c++ -fPIC -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -frtti -pedantic -std=c++98 -Wall -Wno-long-long -Wextra  -O3 -Wl,-z,relro -Wl,--no-undefined -Wl,--allow-shlib-undefined,--as-needed -shared -Wl,-soname,libsuperquadricGlyphs.so.1 -o ../lib/openwalnut/superquadricGlyphs/libsuperquadricGlyphs.so.1.3.0 CMakeFiles/superquadricGlyphs.dir/superquadricGlyphs/WMSuperquadricGlyphs.cpp.o -lstdc++ -lm ../lib/libopenwalnut.so.1.3.0 -lboost_program_options-mt -lboost_thread-mt -lpthread -lboost_filesystem-mt -lboost_date_time-mt -lboost_system-mt -lboost_signals-mt -lboost_regex-mt -lGL -losgDB -losgUtil -losgGA -losgViewer -losgSim -losgWidget -losgText -losg -lOpenThreads -lstdc++ -lm -ldl -lGL -losgDB -losgUtil -losgGA -losgViewer -losgSim -losgWidget -losgText -losg -lOpenThreads -Wl,-rpath,/build/owpack-deb-sid-amd64/OpenWalnut-1.3.0+hg5830/build/lib: 
> 
> In these lines you will find the dpkg-buildflags:
> 
> CXX Flags: -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security
> LD Flags: -Wl,-z,relro
> 
> The strange thing is that these lintian warnings get thrown only for the plugin package. The main package containing our lib an executable does not throw this warnings. Maybe you know a proper solution (besides overriding these lintian tags) to get this fixed. Maybe one of our other build flags overrides some hardening option?
> 
> 
> Thank you in advance
> and have a nice week.
> 
> Sebastian
> 
> -- 
> Dipl.-Inf. Sebastian Eichelbaum
> Universität Leipzig
> Institut für Informatik
> Abteilung Bild- und Signalverarbeitung
> PF 100920
> D-04009 Leipzig
> 
> _______________________________________________
> Neurodebian-upstream mailing list
> Neurodebian-upstream at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/neurodebian-upstream
> 

-- 
Dipl.-Inf. Sebastian Eichelbaum
Universität Leipzig
Institut für Informatik
Abteilung Bild- und Signalverarbeitung
PF 100920
D-04009 Leipzig

More information about the Neurodebian-upstream mailing list